Security Statement

GDC Security Statement

(September 15, 2021)

 

OUR SECURITY, BRIEFLY STATED

GDC is dedicated to protecting all of your data, including your personal data.  To secure your data, GDC has implemented a broad range of technical and organizational security measures that include, but are not limited to, the following:

  1. Independent Certifications.
  • GDC is ISO 27001:2013 compliant and has been certified within the last 12 months.

 

  1. Risk Management.
  • GDC performs an annual Information Security risk assessment covering GDC infrastructure and information assets. 
  • The risk assessment is conducted using an industry standard methodology (based on ISO 27002) to aid in identifying, measuring, and treating known risks.
  • Risk assessment results and risk mitigation suggestions are shared with senior management.
  • GDC’s risk assessment results are designed to highlight and identify potential changes to systems, processes, policies, or tools, in order to reduce security vulnerabilities and threats.

 

  1. Security Policy.
  • Policies, including those related to data privacy, security and acceptable use, are assessed and approved by GDC senior management. Policies are documented and published among all relevant personnel. 
  • Employees and contracted third parties are required to comply with GDC policies relevant to their scope of work.
  • New employees receive training on confidentiality obligations, information security, compliance, and data protection.
  • Employees receive regular training updates, which cover GDC Information Security policies and expectations.
  • Where required, policies are supported by associated procedures, standards, and guidelines.
  • Information Security policies are updated, as needed, to reflect changes to business objectives or risk.
  • Senior management performs an annual review of all Information Security policies.
  • Information Security policies are stored, maintained, updated, and published in a centralized, online location.
  • GDC Information Security Management System contains appropriate sections including: password requirements, Internet usage, computer security, confidentiality, customer data protection, and Company data protection.

 

  1. Organization of Information Security.
  • Information Security governance and data protection compliance for the Company are the responsibility of CTO.
  • GDC has established an Information Security team, with security responsibilities shared across various business units.
  • Confidentiality and nondisclosure agreements are required when sharing sensitive, proprietary personal, or otherwise confidential information between GDC and any third-party.
  • A formal process is in place to manage third parties with access to organizational data, information systems, or data centers. All such third parties commit contractually to maintaining confidentiality of all confidential information.

 

  1. Asset Management.
  • GDC assigns ownership for all information assets.
  • GDC maintains an information assets classification policy and classifies such assets in terms of its value, legal requirements, sensitivity, and criticality to the organization.
  • Desktops and laptops utilize encrypted storage partitions.

 

  1. Human Resources Information Security.
  • Security roles and responsibilities for employees are defined and documented.
  • GDC performs background screening of new hires including job history, references, and criminal checks (subject to local laws).
  • GDC requires all new employees to sign employment agreements, which include comprehensive non-disclosure and confidentiality commitments.
  • GDC maintains an information security awareness and training program that includes new hire training.
  • Information Security awareness is enhanced through regular communications using company-wide emails, as necessary.
  • The organization maintains attendance records for any formal security awareness training sessions.
  • The Human Resources department notifies the Engineering team about any changes in employment status and employment termination.

 

  1. Physical and Environmental Security.
  • Physical security controls in all data centers utilized by GDC, in providing the service, include protection of facility perimeters using various access control measures (including biometric identification, supervised entry, 24/7/365 on-premise security teams, CCTV systems).
  • Access to data centers is limited to authorized employees or contractors only.
  • Controls are in place to protect against environmental hazards at all data centers.
  • All data center facilities have successfully been attested to SSAE 16, SOC 2 type 2, ISO 27001, or similar requirements.

 

  1. Communications and Operations Management.
  • The operation of systems and applications that support the Service is subject to documented operating procedures.
  • The Engineering team maintains standard server configurations.
  • Separate environments are maintained to allow for the testing of changes.
  • Third-party access to GDC systems is regularly audited.
  • All systems and network devices are synchronized to a reliable and accurate time source via the “Network Time Protocol” (NTP).
  • All high priority event-alerting tools escalate into notifications for GDC’s incident response teams, providing the Engineering team with alerts, as needed.

 

  1. Access Controls.
  • GDC maintains an “Acceptable Use” policy that outlines requirements for the use of user IDs and passwords.
  • The organization publishes and maintains a password management standard. In general, users are asked to follow the strong password policies.
  • Strong authentication practices (e.g., SSH keys, 2FA, IP based restrictions) are used to control access to production and development environments.
  • Direct access to the “root” account on all production servers is restricted to Engineering personnel deemed necessary.
  • All access controls are based on “least privilege” and “need to know” principles. Different roles, including limited and administrative access, are used in the environment.
  • Upon notice of termination, all user access is removed. All critical system access is removed immediately upon notification.

 

  1. Information Systems Acquisition, Development, and Maintenance.
  • Product features are managed through a formalized product management process. Security requirements are discussed and formulated during scoping and design discussions.
  • Application source code is stored in a central repository. Access to source code is limited to authorized individuals.
  • Changes to GDC software are tested before production deployment. Deployment processes include unit testing at the source environment, as well as integration and functional testing within a test environment prior to implementation in production.

 

  1. Information Security Incident Management.
  • GDC maintains an incident response process.
  • Internally, GDC maintains an incident response plan that is tested on a regular basis. The plan addresses specific incident response procedures, data backup procedures, roles and responsibilities, customer communication, contact strategies, and legal information flow.
  • The incident response plan is exercised on a regular basis, at least annually.

 

  1. Business Continuity Management.
  • For redundancy, GDC utilizes distributed architecture to ensure resiliency and reliability.
  • GDC has implemented redundant data center infrastructure to better support high availability across the entire system. Each key service layer includes redundant components that mitigate the impact of predictable failures such as hardware problems, and also allows for capacity scaling as customer data and usage grows.

 

  1. GDC Application Security Features.
  • Access to GDC services requires access to a unique set of credentials. GDC requires use of HTTPS for all communications with our website and services.